b'                               U.S. Department of Justice\n                          Office of the Inspector General\n                                            Audit Division\n\n\n\n\n    Audit Report\n\n   Independent Evaluation\n       Pursuant to the\n   Government Information\n     Security Reform Act\n      Fiscal Year 2002\n\nThe Office of Justice Programs\xe2\x80\x99\n Enterprise Network System\n\n\n\n\n       October 2002\n\n           03-01\n\x0c          INDEPENDENT EVALUATION PURSUANT TO THE\n        GOVERNMENT INFORMATION SECURITY REFORM ACT\n                     FISCAL YEAR 2002\n\n                  THE OFFICE OF JUSTICE PROGRAMS\xe2\x80\x99\n                    ENTERPRISE NETWORK SYSTEM\n\n                 OFFICE OF THE INSPECTOR GENERAL\n                    COMMENTARY AND SUMMARY\n\n      The Office of Justice Programs (OJP) is a federal agency within the\nDepartment of Justice (Department). Specifically, the OJP\xe2\x80\x99s mission is to\ndevelop the nation\'s capacity to prevent and control crime, improve the\ncriminal and juvenile justice systems, increase knowledge about crime and\nrelated issues, and assist crime victims. The OJP\'s senior management team\nis comprised of the Assistant Attorney General (AAG), the Deputy Assistant\nAttorney General (DAAG), and five bureau heads.\n\n        The Enterprise Network System (ENS) is the overall general support\nsystem that provides enterprise-wide information infrastructure services in\nsupport of the OJP mission. The ENS provides storage, processing, and\ntransmission of a large variety of the OJP accounting and administrative\ninformation. Mission and administrative support functions of the OJP rely\nextensively on the availability of the ENS and the access it provides to\nfacilitate the OJP program participation and efficient financial management\noperations. All information on the ENS is considered sensitive but\nunclassified.\n\n       The Office of the Inspector General (OIG) selected the OJP as one of\nfive sensitive but unclassified systems to review pursuant to the Government\nInformation Security Reform Act (GISRA) for the fiscal year (FY) 2002. The\nOIG was required by GISRA to perform an independent evaluation of the\nDepartment\xe2\x80\x99s information security program and practices. This report\ncontains the results of the ENS audit. Separate reports will be issued for\neach of the other systems evaluated pursuant to GISRA, including three\nsystems that process classified information.\n\n      Under the direction of the OIG and in accordance with Government\nAuditing Standards, PricewaterhouseCoopers LLP (PwC) was selected to\nperform the ENS audit. The audit took place from May through July 2002\nand consisted of interviews, on-site observations, and reviews of\nDepartment and component documentation to assess the ENS\xe2\x80\x99s compliance\n\n\n\n                                    -i\xe2\x80\x93\n\x0cwith GISRA and related information security policies, procedures, standards,\nand guidelines.1\n\n      During our review of the ENS, KPMG LLP (KPMG) was performing an\naudit of the ENS security controls in support of the fiscal year 2002 financial\nstatement audit. GISRA mandates (as part of the Paperwork Reduction Act)\nthat the OIG and its contractors rely whenever possible on work performed\nby other reviewers for its GISRA audits, so as not to duplicate efforts. To\navoid duplication, PwC limited its role to reviewing management and\noperational controls and relied on the testing of technical controls performed\nby KPMG.\n\n      PwC\xe2\x80\x99s testing did not identify any areas where additional work was\nrequired or where there appeared to be any inconsistency with the\nconclusions reached by KPMG. Therefore, for the vulnerabilities noted in this\nreport, we2 are not providing recommendations. Instead, we are\nconsolidating and reporting the recommendations in the OIG\'s financial\nstatement FY 2002 report to simplify tracking of recommendations and\ncorrective actions.3\n\n      Based on PwC\xe2\x80\x99s and KPMG\xe2\x80\x99s assessments, we assessed management,\noperational, and technical controls at a medium to high risk to the protection\nof the ENS from unauthorized use, loss, or modification. Specifically, the\nauditors identified vulnerabilities in 7 of the 17 control areas. Two of the\nseven vulnerabilities were identified as high risks to the protection of the\nENS as indicated in the following chart.\n\n\n\n\n1\n    In a September 1997 audit, report number 97-26, the OIG recommended that the Department develop effective\n    computer security program guidance. The Department then revised its policy and released DOJ Order 2640.2D,\n    \xe2\x80\x9cInformation Technology Security,\xe2\x80\x9d in July 2001, which was used in the analysis of this year\'s review.\n\n2\n    In this report, "we" refers either to the OIG or to PwC working under the direction of the OIG. With respect to the\n    discussion of technical controls, "we" also encompasses the work performed by KPMG under the direction of the\n    OIG.\n\n3\n    At the time of our audit, the financial statement audit report had not been issued.\n\n\n                                                         - ii \xe2\x80\x93\n\x0c                                                        4                            VULNERABILITIES\n                               CONTROL AREAS\n                                                                                         NOTED\n          Management Controls\n          1.      Risk Management\n          2.      Review of Security Controls\n          3.      Life Cycle                                                                     \xe2\x88\x9a\n          4.      Authorize Processing\n                 (Certification and Accreditation)\n          5.      System Security Plan                                                           \xe2\x88\x9a\n          Operational Controls\n          6.     Personnel Security                                                              \xe2\x88\x9a\n          7.     Physical and Environmental Protection\n          8.     Production, Input/Output Controls\n          9.     Contingency Planning                                                            \xe2\x88\x9a\n          10.    Hardware and Systems Software Maintenance\n          11.    Data Integrity\n          12.    Documentation\n          13.    Security Awareness, Training, and Education                                     \xe2\x88\x9a\n          14.    Incident Response Capability\n          Technical Controls\n          15. Identification and Authentication                                                 \xe2\x88\x9a*\n          16. Logical Access Controls                                                           \xe2\x88\x9a*\n          17. Audit Trails\n        Source: The OIG\xe2\x80\x99s FY 2002 GISRA audit of ENS\n\n                \xe2\x88\x9a* Significant vulnerability in which risk was noted as high. A high-risk vulnerability is\n                   defined as one where extremely grave circumstances can occur by allowing a remote\n                   or local attacker to violate the security protection of a system through user or root\n                   account access, gaining complete control of a system and compromising critical\n                   information.\n\n      As a result of this audit, we identified the following vulnerabilities:\n\n      \xe2\x80\xa2    Service request (SR) changes were made without proper management\n           review.\n\n\n\n\n4\n    Control Areas as described in National Institute of Standards and Technology (NIST) Special Publication (SP)\n    800-26 \xe2\x80\x9cSecurity Self- Assessment Guide for Information Technology Systems.\xe2\x80\x9d\n\n\n                                                            - iii \xe2\x80\x93\n\x0c   \xe2\x80\xa2   System security plans, operating procedure guides, the organizational\n       chart, and system configuration management guides were not updated\n       to reflect current conditions.\n\n   \xe2\x80\xa2   User authentication policies and procedures were not effectively\n       enforced.\n\n   \xe2\x80\xa2   The contingency plan was not updated or tested.\n\n   \xe2\x80\xa2   ENS personnel were not always trained on emergency procedures and\n       the procedures were not always distributed to staff.\n\n   \xe2\x80\xa2   Password security controls were not enforced because of ineffective\n       communication of the OJP policies and procedures.\n\n   \xe2\x80\xa2   Workstation area security was inadequate.\n\n       We concluded that these vulnerabilities occurred because the OJP\nmanagement did not fully develop, enforce, or formalize agency-wide\npolicies in accordance with current Department policies and procedures.\nAdditionally, the Department did not enforce its security policies and\nprocedures in the certification and accreditation process to ensure the ENS is\nprotected from unauthorized use, loss, or modification. If not corrected,\nthese security vulnerabilities threaten the ENS and its data with the potential\nfor unauthorized use, loss, or modification.\n\n\n\n\n                                     - iv \xe2\x80\x93\n\x0c                                    TABLE OF CONTENTS\n\n                                                                                            Page\n\nOBJECTIVE, SCOPE, AND METHODOLOGY ........................................... 1\n\nENTERPRISE NETWORK SYSTEM (ENS) ENVIRONMENT......................... 2\n\nSUMMARY RESULTS OF THE AUDIT .................................................... 3\n\nFINDINGS ...................................................................................... 4\n\nI.   Management Controls ................................................................ 4\n      A. Life Cycle ......................................................................... 4\n      B. System Security Plan .......................................................... 5\n\nII. Operational Controls................................................................... 6\n     A. Personnel Security ............................................................. 7\n     B. Contingency Planning ........................................................ 8\n     C. Security Awareness, Training, and Education........................ 11\n\nIII. Technical Controls .................................................................... 13\n       A. Identification and Authentication ........................................ 13\n       B. Logical Access Controls ..................................................... 15\n\nCONCLUSION .............................................................................. 18\n\nAPPENDIX I - NATIONAL INSTITUTE OF STANDARDS AND\n             TECHNOLOGY GENERAL CONTROL AREAS .................... 19\n\nAPPENDIX II - REPORT STATUS ....................................................... 25\n\x0c            OBJECTIVE, SCOPE, AND METHODOLOGY\n\n      The fiscal year (FY) 2001 Defense Authorization Act (Public Law\n106-398) includes Title X; subtitle G, \xe2\x80\x9cGovernment Information Security\nReform Act\xe2\x80\x9d (GISRA). GISRA became effective on November 29, 2000, and\namends the Paperwork Reduction Act of 1995 by enacting a new subchapter\non "Information Security." It requires federal agencies to:\n\n  \xe2\x80\xa2   Have an annual independent evaluation of their information security\n      and practices performed.\n  \xe2\x80\xa2   Ensure information security policies are founded on a continuous risk\n      management cycle.\n  \xe2\x80\xa2   Implement controls that assess information security risks.\n  \xe2\x80\xa2   Promote continuing awareness of information security risks.\n  \xe2\x80\xa2   Continually monitor and evaluate information security policy.\n  \xe2\x80\xa2   Control effectiveness of information security practices.\n  \xe2\x80\xa2   Provide a risk assessment and report on the security needs of the\n      agencies\xe2\x80\x99 systems, and include the report in their budget request to\n      the Office of Management and Budget (OMB).\n\n      The objective of the audit was to determine the U.S. Department of\nJustice\xe2\x80\x99s (Department) compliance with the GISRA requirements. The\nEnterprise Network System (ENS) was selected as one of the subset of\nsystems to be tested to determine the effectiveness of the Department\xe2\x80\x99s\noverall security program for FY 2002. At the time of our audit, KPMG LLP\n(KPMG) was performing a significant portion of the information security work\nrequired by GISRA as part of the Department\xe2\x80\x99s financial statement audits.\nKPMG was contracted to perform this work under the supervision of the OIG.\n\n      In determining if the Department is compliant with GISRA\nrequirements, we used the collective work of both KPMG and\nPricewaterhouseCoopers LLP (PwC) to determine whether adequate\ncomputer security controls existed to protect the ENS from unauthorized\nuse, loss, or modification. Although this report contains security\nvulnerabilities, we are not prescribing recommendations. Instead, we are\nconsolidating and reporting the recommendations in the OIG\'s financial\nstatement FY 2002 report to simplify tracking of recommendations and\ncorrective actions.\n\n\n\n\n                                     -1-\n\x0c      We interviewed the OJP management personnel, reviewed system\ndocumentation, and performed testing to determine compliance with the\nOffice of Justice Programs (OJP) and Department security policies and\nprocedures. We performed the audit in accordance with Government\nAuditing Standards and the audits took place from May through July 2002.\nWe performed test work at the OJP Headquarters in Washington, D.C.\n\n      For the interviews conducted, we used the questionnaire contained in\nthe National Institute of Standards and Technology (NIST) Special\nPublication 800-26 \xe2\x80\x9cSecurity Self-Assessment Guide for Information\nTechnology Systems.\xe2\x80\x9d This questionnaire contains specific control objectives\nand suggested techniques against which the security of a system or group of\ninterconnected systems can be measured. The questionnaire contains 17\nareas under 3 general controls (management, operational, and technical).\nThe areas contain 36 critical elements and 225 supporting security control\nobjectives and techniques (questions) about the system. The critical\nelements are derived primarily from OMB Circular A-130 and are integral to\nan effective IT security program. The control objectives and techniques\nsupport the critical elements. If a number of the control objectives and\ntechniques are not implemented, the critical elements have not been met.\n\n      The audit approach was based on the General Accounting Office\xe2\x80\x99s\nFederal Information System Controls Audit Manual, the Chief Information\nOfficer Council Framework, OMB Circular A-130, and guidance established by\nNIST. These authorities prescribe a review that evaluates the adequacy of\nmanagement, operational, and technical controls over control areas listed in\nAppendix I.\n\nENTERPRISE NETWORK SYSTEM (ENS) ENVIRONMENT\n\n      The OJP\xe2\x80\x99s Corporate Network, also known as the ENS, was selected by\nthe OIG in consultation with Department management as one of the subset\nof systems to be tested to determine the effectiveness of the Department\xe2\x80\x99s\noverall security program for FY 2002. The ENS supports the information\nprocessing needs of more than 800 OJP employees and over 600 contract\nemployees. The ENS network is a client/server network, and consists of a\nvariety of network platforms including Novell Netware, Windows NT, and\nUNIX.\n\n      The ENS infrastructure consists of the Private Network and the Public\nServices Network. The Private Network provides maximum security\nsafeguards for the OJP\xe2\x80\x99s most valuable systems and services by providing\naccess only to OJP personnel. The Public Services Network provides\n\n                                     -2-\n\x0crestricted interoperability with the public through significant security\nsafeguards.\n\n      The ENS is physically housed in Washington, D.C., and is the general\nsupport system that provides enterprise-wide communication infrastructure\nservices in support of the OJP mission. The information stored, processed,\nand transmitted on the ENS is sensitive but unclassified (SBU) information.\nThe ENS contains government business and financial information that, if\ndisclosed to unauthorized sources, could result in financial loss or adverse\nlegal actions to the OJP.\n\nSUMMARY RESULTS OF THE AUDIT\n\n       We obtained audit evidence to determine whether adequate computer\nsecurity controls existed to protect the OJP network from unauthorized use,\nloss, or modification. We assessed management, operational, and technical\ncontrols for 17 critical areas as a medium to high risk for the ENS. Our\nassessment disclosed vulnerabilities within 7 of the 17 areas. Two of the\nseven vulnerabilities were within technical controls and were identified as\nhigh risks to the protection of the OJP network. For the vulnerabilities noted\nin this report, we are not providing recommendations. Instead, we will\nconsolidate and report the recommendations in the OIG\'s financial statement\nFY 2002 report to simplify tracking of recommendations and corrective\nactions.\n\n       We concluded that these vulnerabilities occurred because the OJP\nmanagement did not fully develop, enforce, or formalize agency-wide\npolicies in accordance with current Department policies and procedures.\nAdditionally, the Department did not enforce its security policies and\nprocedures in the Certification and Accreditation process to ensure the ENS\nnetwork was protected from unauthorized use, loss, or modification. If not\ncorrected, these security vulnerabilities threaten the ENS and its data with\nthe potential for unauthorized use, loss, or modification.\n\n\n\n\n                                       -3-\n\x0c                                      FINDINGS\n\n       Our review disclosed that security controls need improvement to fully\nprotect the ENS from unauthorized use, loss, or modification. Specifically,\nvulnerabilities were identified in the following areas: life cycle controls;\nsystem security planning; personnel security; security awareness, training,\nand education; contingency planning; identification and authentication; and\nlogical access controls. These vulnerabilities occurred because the OJP\nmanagement did not enforce or formalize agency-wide and Department-level\npolicies and procedures to fully secure the system.\n\nI.   Management Controls. Management controls are techniques and\n     concerns that are normally addressed by management in the\n     organization\xe2\x80\x99s computer security program. In general, they focus on\n     the management of the computer security program and the risk within\n     the organization.\n\n                                                     Vulnerabilities\n               Management Controls\n                                                          Noted\n         Risk Management\n         Review of Security Controls\n         Life Cycle                                          \xe2\x88\x9a\n         Authorize Processing\n        (Certification and Accreditation)\n        System Security Plan                                 \xe2\x88\x9a\n\n      Our testing confirmed that management controls were adequate in the\nareas of risk management, review of security controls, and authorize\nprocessing. However, we found vulnerabilities in the following management\ncontrol areas:\n\nA. Life Cycle. Security is an important part of the system life cycle, and\n   security is best managed if planned for the entire system life cycle.\n   There are many models for the system life cycle, but most contain five\n   basic phases: initiation, development/acquisition, implementation,\n   operation, and disposal.\n\n\n\n\n                                            -4-\n\x0cIssue: Service Request\n\nCondition:\n\nWe found that the only service request (SR) change submitted during the FY\nwas moved into production without appropriate approval from the\nConfiguration Management manager. In addition, the OJP staff does not\nfollow the OJP\xe2\x80\x99s configuration management policies on approval signatures.\n\nCause:\n\nThe OJP staff does not consider this signature a priority and does not enforce\nthe requirement because other signatures (such as a requester\'s\nsupervisor\xe2\x80\x99s signature and completion signature) are required and obtained\nbefore changes are moved into production.\n\nCriteria:\n\nThe \xe2\x80\x9cOJP System Configuration Management Guide,\xe2\x80\x9d dated\nNovember 12, 1999, requires the Configuration Management manager\xe2\x80\x99s\napproval for software changes.\n\nRisk:\n\nWithout the appropriate approval signatures, code may enter the production\nenvironment without proper management review. This increases the risk\nthat code may malfunction or cause damage to the OJP systems or\ninformation in the production environment.\n\nB. System Security Plan. A system security plan provides an overview of\n   the security requirements of the system and describes the controls in\n   place or planned for meeting those requirements. The plan delineates\n   responsibilities and expected behavior of all individuals who access the\n   system.\n\n\n\n\n                                     -5-\n\x0cIssue: Outdated Documentation\n\nCondition:\n\nThe ENS system security plan, operating procedure guides, the\norganizational chart, and system configuration management guides have not\nbeen updated since December 15, 2000, to reflect current conditions at the\nOJP for FY 2002. The OJP policies, procedures, and guides refer to the\nInformation Resource Management Division (IRMD) rather than the newly\nformed Office of the Chief Information Officer.\n\nCause:\n\nThe re-organizational change from the IRMD to the Office of the Chief\nInformation Officer has not been incorporated in the OJP\xe2\x80\x99s official\ndocuments.\n\nCriteria:\n\nNIST Special Publication (SP) 800-18, \xe2\x80\x9cGuide for Developing Security Plans\nfor Information Technology Systems,\xe2\x80\x9d Section 3.2.2 \xe2\x80\x93 Responsible\nOrganization, requires that the OJP \xe2\x80\x9clist the federal organizational sub-\ncomponent responsible for the system.\xe2\x80\x9d\n\nNIST SP 800-18, Section 3.2.4 \xe2\x80\x93 Assignment of Security Responsibility,\nstates: \xe2\x80\x9can individual must be assigned responsibility in writing to ensure\nthat the application or general support system has adequate security.\xe2\x80\x9d\n\nRisk:\n\nOutdated documentation could lead to confusion as to the current status and\nresponsibilities of key individuals at the OJP.\n\nII.     Operational Controls. Operational controls address security controls\n        that are implemented and executed by people. These controls are put\n        in place to improve the security of a particular system. They often\n        require technical or specialized expertise and rely upon management\n        activities as well as technical controls.\n\n\n\n\n                                     -6-\n\x0c                                                       Vulnerabilities\n                Operational Controls\n                                                            Noted\n         Personnel Security                                    \xe2\x88\x9a\n         Physical and Environmental Protection\n         Production, Input/Output Controls\n         Contingency Planning                                  \xe2\x88\x9a\n         Hardware and Systems Software Maintenance\n         Data Integrity\n         Documentation\n         Security Awareness, Training, and Education           \xe2\x88\x9a\n         Incident Response Capability\n\n\n       Our testing confirmed that operational controls were adequate within\nthe areas of physical and environmental protection; production, input/output\ncontrols; hardware and systems software maintenance; data integrity;\ndocumentation; and incident response capability. However, our testing\nidentified vulnerabilities within other critical areas of operational controls.\nThe specific details of the identified vulnerabilities are listed below.\n\nA. Personnel Security. Personnel security involves the use of computer\n   systems by human users, designers, implementers, and managers. A\n   broad range of security issues relates to how these individuals interact\n   with computers and the access and authorities they need to do their\n   jobs.\n\nIssue: Policy and Procedures\n\nCondition:\n\nDocumentation to support compliance with the OJP remote user\nauthorization policies and procedures does not exist. Specifically, we noted\nthe following weaknesses:\n\n   \xe2\x80\xa2   Two out of 15 users did not have documentation on file supporting the\n       approval of access to related OJP systems;\n\n   \xe2\x80\xa2   Nine out of 15 remote users have not signed the \xe2\x80\x9cSecure-UserID\xe2\x80\x9d form\n       required by the OJP for remote user authorization; and\n\n   \xe2\x80\xa2   Three out of 15 users did not have documentation on file supporting\n       their termination from related OJP systems.\n\n\n\n                                        -7-\n\x0cCause:\n\nThe policies and procedures within the OJP Security Operating Procedures\nGuide (SOPG) have not been enforced. Specifically, methods unrelated to\npolicy are used by the OJP management to expedite their user\nauthentication. For example, e-mail or verbal confirmation have been used\nrather than methods compliant with the policies set forth by the OJP SOPG.\n\nCriteria:\n\n\xe2\x80\x9cOffice of Justice Programs, Security Operating Procedures Guide (SOPG),\xe2\x80\x9d\nSection 3.1.1 \xe2\x80\x93 User Account Authorization, requires the following:\n\n  \xe2\x80\xa2     Requests for dial-in access will be submitted, in writing, to the\n        Computer System Security Officer (CSSO) and have approval from the\n        Bureau/Office head.\n\n  \xe2\x80\xa2     Authorized users will receive a SecureID key from the contractor.\n\n  \xe2\x80\xa2     Users must sign a SecureID receipt and are responsible for\n        safeguarding the SecureID key.\n\n  \xe2\x80\xa2     Users must attend one-on-one orientation with the Network\n        Communications Administrator.\n\nRisk:\n\nWithout effective enforcement of user authentication policies and\nprocedures, the authorization process may be circumvented, resulting in an\nindividual obtaining remote access without proper authorization or\njustification.\n\nB. Contingency Planning. Contingency planning ensures continued\n   operations by minimizing the risk of events that could disrupt normal\n   operations and having an approach in place to respond to those events\n   should they occur.\n\n\n\n\n                                      -8-\n\x0cIssue: Backup and Service Continuity\n\nCondition:\n\nThe following weaknesses were identified to the OJP\xe2\x80\x99s backup and service\ncontinuity procedures:\n\n   \xe2\x80\xa2    Oracle backup tapes are not sent to the off-site facility on a weekly or\n        bi-weekly basis.\n\n   \xe2\x80\xa2    The contingency plan does not call for a backup site.\n\n   \xe2\x80\xa2    Performance goals have not been established for server availability\n        therefore causing contractors to overlook server availability.\n\nCause:\n\nThe Oracle contractors are not following the OJP procedure to ship backup\ntapes to the off-site facility either weekly or bi-weekly. The Office of the\nChief Information Officer has not recognized the need to provide server\navailability goals for the contractors responsible for maintaining server\navailability. In addition, the contractors do not monitor server availability on\na long-term basis, since they do not have formal guidelines from the OJP on\nthe acceptable level of downtime.\n\nCriteria:\n\nOJP\xe2\x80\x99s Automated Information System Security Plan for the Enterprise\nNetwork System, dated December 15, 2000, Section 4.4 - Contingency\nPlanning, requires that at the end of the week, all incremental tapes and the\nfull (weekly) backup tape be stored off-site.\n\nRisk:\n\nBackup tapes of critical Oracle data may be lost in the event that a disaster\noccurs at the OJP facility. In the event that the OJP loses its on-site data\nfrom the Oracle servers, the OJP would not be able to replace valuable\ninformation.\n\nBecause server availability is not monitored adequately, the contractors and\nthe OJP staff might not recognize a long-term degradation in server\nperformance levels in time to effectively address the problem.\n\n\n\n                                        -9-\n\x0cIssue: Contingency Plan\n\nCondition:\n\n   \xe2\x80\xa2   The plan has not been updated since FY 2000.\n\n   \xe2\x80\xa2   OJP staff have not been trained on the plan nor has the plan been\n       distributed to the staff.\n\n   \xe2\x80\xa2   The plan does not specify the length of time before operations should\n       resume.\n\n   \xe2\x80\xa2   The plan does not have formal test procedures or polices in place for\n       testing.\n\nCause:\n\nAccording to OJP management, the Office of the Chief Information Officer\nhas not had the resources (staff and budget) to update the contingency plan\nsince FY 2000. The Office of the Chief Information Officer does not see the\nbenefit in distributing the existing plan due to its length. Thus, staff were\nnot trained on the current contingency plan. Additionally, the contingency\nplan does not establish specific timelines because the developers of the plan\nwanted to keep the plan vague. Finally, the Office of the Chief Information\nOfficer believes that occasional accidents, such as server outages or\ninclement weather problems, serve as the test of the contingency plan. The\nOffice of the Chief Information Officer does not perform additional tests of\nthe contingency plan.\n\nCriteria:\n\nOMB Circular A-130, Appendix III, Security of Federal Automated\nInformation Systems, states: \xe2\x80\x9cAgency plans should assure that there is an\nability to recover and provide service sufficient to meet the minimal needs of\nusers of the system.\xe2\x80\x9d\n\nNIST SP 800-14, Generally Accepted Principles and Practices for Securing\nInformation Technology Systems, Section 3.6.5 \xe2\x80\x93 Test and Revise Plan,\nrequires that an organization test and revise the contingency plan.\nAdditionally, NIST requires that the organization update the plan since it will\nbecome outdated as time passes and as the resources used to support\ncritical functions change.\n\n\n\n                                     -10-\n\x0cDOJ Order 2640.2D, Information Technology Security, Chapter 1, Section 9,\nContingency Planning/Business Resumption Planning requires components\ntest contingency/business resumption plans annually or as soon as possible\nafter a significant change to the environment that would alter the in-place\nassessed risk.\n\nNIST SP 800-12, Section 11 \xe2\x80\x93 Preparing for Contingencies and Disasters\nstates: \xe2\x80\x9cContingency planning involves more than planning for a move\noffsite after a disaster destroys a data center. It also addresses how to keep\nan organization\'s critical functions operating in the event of disruptions, both\nlarge and small. This broader perspective on contingency planning is based\non the distribution of computer support throughout an organization.\xe2\x80\x9d\n\nNIST SP 800-14, Section 3.6.2 \xe2\x80\x93 Identify Resources, states: \xe2\x80\x9cTime Frame\nNeeded. In addition, an organization should identify the time frames in\nwhich each resource is used and the effect on the mission or business of the\ncontinued unavailability of the resource.\xe2\x80\x9d\n\nRisk:\n\nDuring an extended outage and/or disaster, information system processing\nfunctions and vital business operations may be damaged and unable to\nfunction. Without a comprehensive business continuity plan, the OJP could\nface potentially critical financial data losses in the event of a disaster.\nTesting is one of the most important functions in maintaining a viable\ndisaster recovery plan. It is through testing that weaknesses in the plan are\nuncovered and can be corrected. Testing should be performed to ensure\nthat critical information for continued operations is not lost due to a failure\nto fully identify information technology recovery needs during a disaster.\n\nC. Security Awareness, Training, and Education. People are a crucial\n   factor in ensuring the security of computer systems and valuable\n   information resources. Security awareness, training, and education\n   enhance security by improving awareness of the need to protect system\n   resources. Additionally, training develops skills and knowledge so\n   computer users can perform their jobs more securely.\n\n\n\n\n                                     -11-\n\x0cIssue: Emergency Procedures\n\nCondition:\n\nFrom interviews with the OJP management and staff regarding the OJP\xe2\x80\x99s\nemergency procedures, we noted the following:\n\n   \xe2\x80\xa2    Staff members have not been trained on emergency procedures.\n\n   \xe2\x80\xa2    Emergency procedures have not been distributed to the staff.\n\nCause:\n\nThe Office of Administration considers the bi-annual fire drills adequate\ntraining on emergency procedures. Key individuals are trained monitors for\neach floor and are responsible for ensuring that everyone is evacuated in the\nevent of an emergency. According to the OJP management, the Emergency\nOperations and Occupation Plan are not distributed because the document is\ntoo large.\n\nCriteria:\n\nOMB Circular A-130, states that management should plan for how they will\nperform their mission and/or recover from the loss of existing application\nsupport, whether the loss is due to the inability of the application to function\nor a general support system failure.\n\nNIST SP 800-12, Section 11 \xe2\x80\x93 Preparing for Contingencies and Disasters\nstates: \xe2\x80\x9cContingency planning involves more than planning for a move\noffsite after a disaster destroys a data center. It also addresses how to keep\nan organization\'s critical functions operating in the event of disruptions, both\nlarge and small. This broader perspective on contingency planning is based\non the distribution of computer support throughout an organization.\xe2\x80\x9d\n\nRisk:\n\nWithout proper training employees may not be adequately prepared to\nrespond appropriately in the event of an emergency.\n\n\n\n\n                                      -12-\n\x0cIII.   Technical Controls. Technical controls focus on security controls\n       that the computer system executes and depend upon the proper\n       functioning of the system to be effective. Technical controls require\n       significant operational considerations and should be consistent with\n       the management of security within the organization.\n\n                                                                      Vulnerabilities\n                   Technical Controls\n                                                                            Noted\n        Identification and Authentication                                      \xe2\x88\x9a*\n        Logical Access Controls                                                \xe2\x88\x9a*\n        Audit Trails\n\n        \xe2\x88\x9a*Significant vulnerability in which risk was noted as high. A high-risk\n           vulnerability is defined as one where extremely grave circumstances\n           can occur by allowing a remote or local attacker to violate the security\n           protection of a system through user or root account access, gaining\n           complete control of a system and compromising critical information.\n\n\n      During our review of the ENS, KPMG was performing an audit of the\nENS security controls in support of the FY 2002 financial statement audit.\nKPMG assessed the technical controls using commercial-off-the-shelf and\nproprietary software to conduct network scanning on the ENS. The technical\nvulnerabilities reported in this report are KPMG\xe2\x80\x99s results relied upon by PwC.\n\n      As a result of testing ENS\xe2\x80\x99s technical controls, we confirmed that\ncontrols were adequate in the areas of audit trails. Test results identified\nhigh vulnerabilities within critical areas of ENS\xe2\x80\x99s technical controls as listed\nbelow.\n\nA. Identification and Authentication. Identification and authentication\n   are technical measures that prevent unauthorized people or processes\n   from entering an IT system. Identification, most commonly used for\n   access control, is the means by which users claim their identities to a\n   system. Authentication is the verification that a person\xe2\x80\x99s claimed\n   identity is valid and is usually implemented through the use of\n   passwords.\n\n      A password is a unique string of characters that must be provided\nbefore a logon or access is authorized to a computer system. Passwords are\nsecurity measures used to restrict logons to user accounts and access to\ncomputer systems and resources. The OJP password controls tested via\nnetwork security penetration testing were found to be inadequate.\n\n\n                                              -13-\n\x0cIssue: Authentication Controls\n\nCondition:\n\nUser authentication controls are not in compliance with policies and\nprocedures set forth by the OJP password management guidelines.\nSpecifically, we noted the following instances of weak or non-existent\npasswords in place on key business database servers, operating system\naccounts, and network devices:\n\n  \xe2\x80\xa2   Null session connections to the OJP registered Primary Domain\n      Controller.\n\n  \xe2\x80\xa2   Default database server account/passwords.\n\n  \xe2\x80\xa2   Passwords equal to user name.\n\n  \xe2\x80\xa2   Blank passwords.\n\n  \xe2\x80\xa2   Default Simple Network Management Protocol (SNMP) community\n      strings on network devices.\n\nCause:\n\nIneffective communication of the OJP policies and procedures to\nadministrative staff has created a situation where password security controls\nare not enforced. Specifically, we noted numerous instances where\nadministrators were not aware of the password guidance provided by the\nOJP Computer Security Program.\n\nCriteria:\n\nDepartment of Justice \xe2\x80\x93 Office of Justice Programs: Computer System\nPassword Policy, Section 3, requires that passwords will be used on all\nautomated information systems to protect systems and system level\naccounts, individual accounts, and sensitive information processed or stored\nby the systems.\n\n  \xe2\x80\xa2   All user and system passwords should be at least eight characters in\n      length.\n\n\n\n\n                                    -14-\n\x0c  \xe2\x80\xa2     All user and system passwords should consist of a mix of at least three\n        of the following: English uppercase, English lower case, numeric,\n        special characters.\n\n  \xe2\x80\xa2     Dictionary words, simple keyboard patterns, or character strings, shall\n        not be used.\n\nDOJ Order 2640.2D, \xe2\x80\x9cInformation Technology Security\xe2\x80\x9d Chapter 2, Section\n18, requires that Department IT systems that use passwords as the means\nfor authentication shall implement at least the following minimum features:\n\n  \xe2\x80\xa2     An eight-character password composed of at least three of the\n        following: English uppercase, English lower case, numeric, and special\n        characters.\n\n  \xe2\x80\xa2     Prevent the use of previous six passwords.\n\n  \xe2\x80\xa2     Prevent the display of a clear text password.\n\n  \xe2\x80\xa2     Limit password lifetime to a maximum of ninety (90) days.\n\nFurthermore, DOJ Order 2640.2D, Chapter 2, Section 18, states Department\nIT systems shall: \xe2\x80\x9cdisable system default passwords as soon as possible\nafter system installation and before the system becomes operational.\xe2\x80\x9d\n\nRisk:\n\nPoor password security parameters subject critical ENS information to\npotential unauthorized accessed and prevent the ENS system administrators\nfrom detecting unauthorized access on a system. Easily guessed passwords\nobtained during a brute force attack may compromise the identification and\nauthentication integrity of the ENS servers.\n\nB. Logical Access Controls. Logical access controls are the system-based\n   mechanisms used to designate who or what is to have access to a\n   specific system resource and the type of transactions and functions that\n   are permitted.\n\n\n\n\n                                      -15-\n\x0cIssue: Network Devices\n\nCondition:\n\nThe OJP did not enforce technical controls to achieve optimal workstation\nsecurity resulting in the use of unauthorized network devices within the OJP\nfacility. Specifically, we found:\n\n  \xe2\x80\xa2   Active network ports in vacant cubicles.\n\n  \xe2\x80\xa2   No password-protected screensavers for unattended terminals.\n\n  \xe2\x80\xa2   Warning banners not displayed upon login.\n\nCause:\n\nControls to enforce workstation security, as specified in the OJP SOPG, have\nnot been effectively communicated to OJP system users. For example, the\nDynamic Host Configuration Protocol (DHCP) server responds to DHCP client\nrequests; however, an unattended workstation with an active drop can be\nused by any user and computer recognized by the network servers.\n\nCriteria:\n\n\xe2\x80\x9cDepartment of Justice \xe2\x80\x93 Office of Justice Programs: Enterprise Security\nNetwork Security Operating Procedures Guide (SOPG),\xe2\x80\x9d Section 4.7.4 \xe2\x80\x93\nWorkstation Area Security, requires the following:\n\n  \xe2\x80\xa2   Access controls must be enabled to provide security to limit access to\n      only authorized individuals.\n\n  \xe2\x80\xa2   Users must ensure a screen saver is enabled with password protection\n      when leaving their workstation for a period of time.\n\nDOJ Order 2640.2D, \xe2\x80\x9cInformation Technology Security,\xe2\x80\x9d Chapter 2, Section\n20 - Warning Banner, requires \xe2\x80\x9call Department IT systems implement a\nsystem banner that provides warnings: to employees that accessing the\nsystem constitutes consent to system monitoring for law enforcement and\nother purposes; and to unauthorized users that their use of the system may\nsubject them to criminal prosecution and/or criminal or civil penalties.\xe2\x80\x9d\n\n\n\n\n                                    -16-\n\x0cRisk:\n\nInadequate workstation area security may allow an unauthorized user to use\nan unattended workstation to gain access to network resources by allowing\nthe unauthorized user to view sensitive data that was not properly secured\nusing a screen saver. In addition, unauthorized full network access may be\ngained by connecting a computer directly to an active network drop.\n\nIssue: Denial of Service\n\nCondition:\n\nWe used an automated vulnerability scanner, NESSUS, to detect possible\nexploitable weaknesses associated with the OJP\xe2\x80\x99s public web servers. We\nnoted that one web server is vulnerable to a possible \xe2\x80\x9cdenial-of-service\xe2\x80\x9d\n(DOS) attack, and one web server discloses various parts of its directory\nstructure. A "denial-of-service" attack is characterized by an explicit\nattempt by attackers to prevent legitimate users of a service from using that\nservice. Examples include, attempts to "flood" a network, thereby\npreventing legitimate network traffic, and attempts to disrupt connections\nbetween two machines, thereby preventing access to a service.\n\nCause:\n\nThe identified web servers have not been updated to address the latest\nvulnerabilities.\n\nCriteria:\n\nOMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\nInformation Resources,\xe2\x80\x9d states: \xe2\x80\x9cin every general support system, a\nnumber of technical, operational, and management controls are used to\nprevent and detect harm. Such controls include individual accountability,\n\xe2\x80\x9cleast privilege,\xe2\x80\x9d and separation of duties.\n\nIndividual accountability consists of holding someone responsible for his/her\nactions. In a general support system, accountability is normally\naccomplished by identifying and authenticating users of the system and\nsubsequently tracing actions on the system to the user who initiated them.\nLeast privilege is the practice of restricting a user\xe2\x80\x99s access (to data files, to\nprocessing capability, or to peripherals) or type of access (read, write,\nexecute, delete) to the minimum necessary to perform his job.\xe2\x80\x9d\n\n\n                                      -17-\n\x0cRisk:\n\nThe current vulnerabilities allow an attacker to perform DOS attacks that\ncould potentially shut down the ENS web server. Additionally, by requesting\nthe \xe2\x80\x9crobot.txt\xe2\x80\x9d file, the attacker can ascertain the directory structure on the\nweb server and modify information.\n\nCONCLUSION\n\n       Our review disclosed that security controls need improvement to fully\nprotect the ENS from unauthorized use, loss, or modification. Specifically,\nwe found vulnerabilities in the areas of life cycle controls, system security\nplanning; personnel security; contingency planning; security awareness,\ntraining, and education; identification and authentication; and logical access\ncontrols. We assessed these vulnerabilities as a medium to high risk to the\nENS. If not corrected, these security vulnerabilities threaten the data stored\non the ENS with the potential for unauthorized use, loss, or modification.\n\n\n\n\n                                     -18-\n\x0c                                                             APPENDIX I\n\n       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n                   GENERAL CONTROL AREAS\n\n     The review focused on evaluating the adequacy of management,\noperational, and technical controls over the following specific control areas:\n\nI. MANAGEMENT CONTROLS. Management controls focus on the\nmanagement of the IT security system and the management of risk for a\nsystem. They are techniques and concerns that are normally addressed by\nmanagement.\n\n   \xe2\x80\xa2   Risk Management. Risk is the possibility of something adverse\n       happening. Risk management is the process of assessing risk, taking\n       steps to reduce risk to an acceptable level, and maintaining that level\n       of risk. Assessing risk management involves evaluating OJP\xe2\x80\x99s efforts\n       to complete the following critical procedures:\n\n         o Periodic performance of a system risk assessment had been\n           performed.\n         o Program officials understand the risk to systems under their\n           control and had determined the acceptable level of risk.\n\n   \xe2\x80\xa2   Review of Security Controls. Routine evaluations and response to\n       identified vulnerabilities are important elements of managing security\n       controls of a system. Determining whether review of security\n       controls had been adequately performed requires the auditor to\n       assess if the following critical items were completed:\n\n         o A system security control review had been performed for both\n           the ENS and interconnected systems.\n         o Management ensured effective implementation of corrective\n           actions.\n\n   \xe2\x80\xa2   Life Cycle. Like other aspects of an IT system, security is best\n       managed if planned for throughout the IT system life cycle. There\n       are many models for the IT system life cycle but most contain five\n       basic phases: initiation, development/acquisition, implementation,\n       operation, and disposal. Assessing a system\xe2\x80\x99s life cycle involves\n       identifying if the following critical items are in place for the ENS:\n\n         o A system development life cycle methodology.\n\n                                     -19-\n\x0c         o System change controls as programs progress through testing to\n           final approval.\n\n   \xe2\x80\xa2    Authorize Processing (Certification and Accreditation).\n        Authorize processing (also referred to as certification and\n       accreditation) provides a form of assurance of the security of the\n       system. To determine whether the ENS had been appropriately\n       authorized to process data involves analyzing critical documents that\n       identify whether:\n\n         o The system had been certified/recertified and authorized to\n           process (accredited).\n         o The system is operating on an interim authority in accordance\n           with specified agency procedures.\n\n   \xe2\x80\xa2   System Security Plan. A system security plan provides an\n       overview of the security requirements of the system and describes\n       the controls in place or planned for meeting those requirements. The\n       plan delineates responsibilities and expected behavior of all\n       individuals who access the system. Assessing whether the ENS has\n       an adequate system security plan requires identifying if the following\n       critical elements were met:\n\n         o A system security plan had been documented for the system and\n           all interconnected systems if the boundary controls are\n           ineffective.\n         o The plan is kept current.\n\nII. OPERATIONAL CONTROLS. Operational controls address security\ncontrols that are implemented and executed by people. These controls are\nput in place to improve the security of a particular system. They often\nrequire technical or specialized expertise and rely upon management\nactivities as well as technical controls.\n\n   \xe2\x80\xa2   Personnel Security. Many important issues in computer security\n       involve human users, designers, implementers, and managers. A\n       broad range of security issues relates to how these individuals\n       interact with computers and the access and authorities they need to\n       do their jobs. Assessing personnel security involves evaluating the\n       OJP efforts to complete the following critical procedures:\n\n         o Duties are separated to ensure least privilege and individual\n           accountability.\n\n                                    -20-\n\x0c     o Appropriate background screening is completed.\n\n\xe2\x80\xa2   Physical and Environmental Protection. Physical security and\n    environmental security are the measures taken to protect systems,\n    buildings, and related supporting infrastructures against threats\n    associated with their physical environment. Assessing physical and\n    environmental protection involves evaluating OJP\xe2\x80\x99s efforts to\n    complete the following critical procedures:\n\n     o Adequate physical security controls have been implemented and\n       are commensurate with the risks of physical damage or access.\n     o Data is protected from interception.\n     o Mobile and portable systems are protected.\n\n\xe2\x80\xa2   Production, Input/Output Controls. There are many aspects to\n    supporting IT operations. Topics range from a user help desk to\n    procedures for storing, handling and destroying media. Assessing\n    production, input/output controls involves evaluating the OJP efforts\n    to complete the following critical procedures:\n\n     o User support is being provided to ENS users.\n     o Media controls are in place for the ENS.\n\n\xe2\x80\xa2   Contingency Planning. Contingency planning ensures continued\n    operations by minimizing the risk of events that could disrupt normal\n    operations and having an approach in place to respond to those\n    events should they occur. Assessing contingency planning involves\n    evaluating OJP\xe2\x80\x99s efforts to complete the following critical procedures:\n\n     o Identify the most critical and sensitive operations and their\n       supporting computer resources.\n     o Develop and document a comprehensive contingency plan.\n     o Have tested contingency/disaster recovery plans in place.\n\n\xe2\x80\xa2   Hardware and System Software Maintenance. These are\n    controls used to monitor the installation of, and updates to, hardware\n    and software to ensure that the system functions as expected and\n    that a historical record is maintained of changes. Some of these\n    controls are also covered in the Life Cycle Section. Assessing\n    hardware and system software maintenance involves evaluating\n    OJP\xe2\x80\x99s efforts to complete the following critical procedures:\n\n\n\n\n                                 -21-\n\x0c     o Access is limited to system software and hardware.\n     o All new and revised hardware and software are authorized,\n       tested, and approved before implementation.\n     o Systems are managed to reduce vulnerabilities.\n\n\xe2\x80\xa2   Data Integrity. Data integrity controls are used to protect data\n    from accidental or malicious alteration or destruction and to provide\n    assurance to the user that the information meets expectations about\n    its quality and integrity. Assessing data integrity involves evaluating\n    OJP\xe2\x80\x99s efforts to complete the following critical procedures:\n\n     o Virus detection and elimination software is installed and\n       activated.\n     o Data integrity and validation controls are used to provide\n       assurance that the information has not been altered and the\n       system functions as intended.\n\n\xe2\x80\xa2   Documentation. The documentation contains descriptions of the\n    hardware, software, policies, standards, procedures, and approvals\n    related to the system and formalize the system\xe2\x80\x99s security controls.\n    Assessing documentation involves evaluating OJP\xe2\x80\x99s efforts to\n    complete the following critical procedures:\n\n     o There is sufficient documentation that explains how\n       software/hardware is to be used.\n     o There are documented formal security and operational\n       procedures.\n\n\xe2\x80\xa2   Security Awareness, Training, and Education. People are a\n    crucial factor in ensuring the security of computer systems and\n    valuable information resources. Security awareness, training, and\n    education enhance security by improving awareness of the need to\n    protect system resources. Additionally, training develops skills and\n    knowledge so computer users can perform their jobs more securely\n    and builds in-depth knowledge. Assessing security awareness,\n    training, and education involves evaluating OJP\xe2\x80\x99s efforts to complete\n    the following critical procedures:\n\n     o Employees have received adequate training to fulfill their\n       security responsibilities.\n\n\n\n\n                                 -22-\n\x0c   \xe2\x80\xa2   Incident Response Capability. Computer security incidents are an\n       adverse event in a computer system or network. Such incidents are\n       becoming more common and their impact is far-reaching. The\n       following questions are organized according to two critical elements.\n       Assessing incident response capability involves evaluating OJP\xe2\x80\x99s\n       efforts to complete the following critical procedures:\n\n        o There is a capability to provide help to users when a security\n          incident occurs in the system.\n        o Incident-related information is shared with appropriate\n          organizations.\n\nIII. TECHNICAL CONTROLS. Technical controls focus on security controls\nthat the computer system executes and depend upon the proper functioning\nof the system to be effective. Technical controls require significant\noperational considerations and should be consistent with the management of\nsecurity within the organization.\n\n   \xe2\x80\xa2   Identification and Authentication. Identification and\n       authentication is a technical measure that prevents unauthorized\n       people or processes from entering an IT system. Access control\n       usually requires that the system be able to identify and differentiate\n       among users. Authentication is verification that a person\xe2\x80\x99s claimed\n       identity is valid and it is usually implemented through the use of\n       passwords. Assessing identification and authentication involves\n       evaluating OJP\xe2\x80\x99s efforts to complete the following critical procedures:\n\n        o Users are individually authenticated via passwords and other\n          devices.\n        o Access controls are enforcing segregation of duties.\n\n   \xe2\x80\xa2   Logical Access Controls. Logical access controls are the system-\n       based mechanisms used to designate who or what is to have access\n       to a specific system resource and the type of transactions and\n       functions that are permitted. Assessing logical access controls\n       involves evaluating OJP\xe2\x80\x99s efforts to complete the following critical\n       procedures:\n\n        o Logical access controls restrict users to authorized transactions\n          and functions.\n        o There are logical controls over network access.\n\n\n\n\n                                    -23-\n\x0c     o There are controls implemented to protect the integrity of the\n       application and the confidence of the public when the public\n       accesses the system.\n\n\xe2\x80\xa2   Audit Trails. Audit trails maintain a record of system activity by\n    system or application processes and by user activity. In conjunction\n    with appropriate tools and procedures, audit trails can provide\n    individual accountability, a means to reconstruct events, detect\n    intrusions, and identify problems. Assessing audit trails involves\n    evaluating OJP\xe2\x80\x99s efforts to complete the following critical procedures:\n\n     o Activity involving access to and modification of sensitive or\n       critical files is logged, monitored, and possible security violations\n       are investigated.\n\n\n\n\n                                 -24-\n\x0c                                                             APPENDIX II\n\n                              REPORT STATUS\n\n      For the vulnerabilities noted in this report, as previously discussed, we\nare not providing separate recommendations. Instead, we will consolidate\nand report the recommendations in the OIG\'s financial statement FY 2002\nreport to simplify tracking of recommendations and corrective actions.\nTherefore, this report is closed.\n\n\n\n\n                                     -25-\n\x0c'